restrict access to root folder

[deansatch]

I have given someone ftp access to a folder which is placed at the root. Obviously if he wanted to, he could access all the main site files at the root by doing a simple include(../private-stuff.php); or even go as far as writing a script that deletes all the files in the root.

 

Is there a way I can restrict access so he can only include files from within his directory and he can't delete or read any files in the root? Possibly not a php solution but maybe using htaccess?

[Deoctor]

if u want to use an php for ftp solution  i would suggest you to do it out by using the ft2(File Thingie)

[deansatch]

I don't. I have created an ftp login within my hosting account for a specific directory and want to make sure that person can not include or edit files outside of the directory.

[Deoctor]

if u gave an access to the specific folder using ftp access then i dont think users can access the folders outside of that folder.

[Adam]

You may be able to find a solution using the mod_access module. Near the bottom there's a bit about directories -- not tried it though so I can't say for sure if this is what you're after, and I can't say how this affects PHP.

[oni-kun]

How do you think webhosts disallow you to see the contents of /home/xxxxx/ on your FTP?

[deansatch]

that's what I want to find out.

[deansatch]

I'm still struggling to find an answer for this that works. Basically, I want to stop files from within directoy www.site.com/limitedperson/ accessing files in root (www.site.com/) i.e. disallow include(), require(), fopen() etc...

 

e.g. If they create a file: site.com/limitedperson/get_access.php and put within that file:

<?php include('../index.php'); ?>

I want it to fail - "access denied" - rather than showing the index page that they shouldn't have access to.

[emopoops]

it wouldnt matter if they were in a directory above or below all the site contents u can include the document root variable and the add from there.

[oni-kun]

I'm still struggling to find an answer for this that works. Basically, I want to stop files from within directoy www.site.com/limitedperson/ accessing files in root (www.site.com/) i.e. disallow include(), require(), fopen() etc...

 

e.g. If they create a file: site.com/limitedperson/get_access.php and put within that file:

<?php include('../index.php'); ?>

I want it to fail - "access denied" - rather than showing the index page that they shouldn't have access to.

 

Yes, You create a user with access only to the tolder /limitedperson/ and edit vsftpd.conf to reflect their permissions in allowing them to access root. Standard linux config.

[deansatch]

@oni-kun - I don't have access to the vsftpd.conf file. Can this be done via htaccess or php.ini?

[oni-kun]

@oni-kun - I don't have access to the vsftpd.conf file. Can this be done via htaccess or php.ini?

 

FTP is a very very distant program from Apache. You cannot. Do you have shell access? It's in /etc/vsftpd.conf. If you're limited than there's not much you can do, Atleast nothing in standard documentation.

[Deoctor]

under the php.ini file there is an option for this

check for the core values disable_functions

using this one u can do it out..

what ever fucntions u want give them over here and it will get disabled u need to restart ur apache though

[deansatch]

Well I don't see the point in web hosts giving the ability to create extra ftp accounts - it means that I can give someone ftp access to a particular folder and they can write a quick script to harvest all the login details from config files or delete/alter all the files on the server!!! I may as well give them full ftp access!

 

@ym_chaitu - I still need the functions enabled, just disallow them from accessing files outside of the directory.

[Deoctor]

then no other solution use the ft2.php as i already told in which u can restrict access for  uploading of the files just go through the documentation http://www.solitude.dk/filethingie/

[deansatch]

It's not about restricting user access via ftp - it is restricting file access. The user can log in via ftp and only see the files in the ftp directory - but it doesn't stop them putting a script in there that can access files in the root. I feel that I have not explained the problem well enough - if anyone understands what I am trying to do - please write a better explanation of the problem

[deansatch]

Ah! I have added a line in php.ini

open_basedir = /home/sites/site.com/public_html/limited_user

 

This restricts the includes from going to the root - but now I have the problem that the user can now create another php.ini file and override that open_basedir line. Is there a way to stop overriding the php.ini file in the root folder from a php.ini file in a sub-directory?

[oni-kun]

Ah! I have added a line in php.ini

open_basedir = /home/sites/site.com/public_html/limited_user

 

This restricts the includes from going to the root - but now I have the problem that the user can now create another php.ini file and override that open_basedir line. Is there a way to stop overriding the php.ini file in the root folder from a php.ini file in a sub-directory?

 

I'm not 100% sure, but try this as root in your .htaccess:

<Files /limitedperson/php.ini>
order deny,allow
deny from all
</Files>

 

This will tell the server to ignore that file. (Atleast in theory)

[emopoops]

thank u ive never used this filemajig before im really getting aroused by this thread. im checking to see if any other arousals pop up. ive subscribed double times and im making sure it emails me the answer when u do post it. thanks in advance im really looking foreaed to the nicenecc on my website this will bring

[deansatch]

Thanks oni-kun. It doesn't work though - I think that only denies access to the file from the user typing it in the address bar of the browser but the server still reads it.

[oni-kun]

Thanks oni-kun. It doesn't work though - I think that only denies access to the file from the user typing it in the address bar of the browser but the server still reads it.

 

Meh, you're right. I'm not sure if the original php.ini has a 'hardcoded' address for itself that cannot be overridden, it must be an option somewhere.